There are 2 sides to the advice I'll give you? I've previously worked on
both sides of the fence! :-)

For their side:

1. You need to meet the person who leads their pen test practice. That
will allow you to get a feel for the attitude of the organisation.
2. Ask to see their methodology? Does it stand up to scrutiny? Do a
contrast and compare with the free standards out there:
A. OSSTMM
B. PTES
C. NIST SP 800-115
D. OWASP Testing Guide
E. Pen Testing framework

3. Ask for the qualifications of the team that will be performing your pen
test.
4. Sample reports would be good, but without context they're often just
pretty pictures and vague text, so don't rely on them.

For Your side:

1. What service do you want?
A. A one off pen test to tick a box?
B. A recurring contract for Quarterly/Yearly/Ad Hoc Pen tests?
C. Option A with remediation advice and a re-test?
D. Haven't really thought about it and probably need advice? :-)

3. What's your budget?
A. Unlimited?
B. Non-existent?
C. Actually need to put together a business case and take it to the PTB!
:-)

Are you getting a picture here? The more professionally you engage with
the organisations the more professionally they'll respond and the amateurs
will drop by the wayside?

If you haven't done this before, then I'd suggest bringing in a consultant
to help you understand your requirements, build the business case and then
put together a proper RFI/RFP for the work involved.

>Hi all,
>
>I'm currently in the process of sizing up/comparing various
>Penetration Testing firms, and am having a bit of trouble finding
>distinguishing characteristics between them. I've looked at a fair
>few, but they all seem to offer very similar services with little to
>recommend one over another. What I'm looking for is an independent
>firm capable of doing external penetration tests against a small
>datacenter cluster of hosts and then providing a report of their
>results (I realize that I just described the general process of
>penetration testing).
>
>Does anyone on here have any specific recommendations on what to look
>for when choosing an independent penetration testing firm?
>
>Thanks,
>
>Remi
>
>-----------------------------------------------------------------------
-
>This list is sponsored by: Information Assurance Certification Review
>Board
>
>Prove to peers and potential employers without a doubt that you can
>actually do a proper penetration test. IACRB CPT and CEPT certs require a
>full practical examination in order to become certified.
>
>http://www.iacertification.org
>-----------------------------------------------------------------------
-
>